I want to restrict user to update or read only their data based on their user I'd.
So I want to get this I'd from jwt token user sends in request.
How can I do it using Oracle database action and pl/sql
Related
I googled about this question several days but I couldn't find good resources for my question.
I wanna get the list of roles assigned to ORDS_PUBLIC_USER after a client authorized with the auth2 method (with client_id and secret_key) to call services. how do that? and my other question is how to get which client_id(authorized) and calling services now?
thanks in advance
When a new OAuth token is requested, a row is added to the table ORDS_METADATA.SEC_SESSIONS with that token's information.
In the definition of your REST API, you should be able to get the OAuth token using UTL_HTTP.GET_HEADER and look up that token's information in the table. The STATE column of ORDS_METADATA.SEC_SESSIONS contains JSON that has information about what that token has access to which includes the roles that this token has access to.
You can then use the USERID column of the ORDS_METADATA.SEC_SESSIONS table to match to the CLIENT_ID column of the ORDS_METADATA.OAUTH_CLIENTS or USER_ORDS_CLIENTS table/view to find the OAuth client that the token is associated with.
I am using TDD to implement APIs for an authentication system in Laravel. This system uses the one-time-password (OTP) method for authentication. In the first step, an OTP token is issued for the user and stored in the session. In the second step, the server receives a request containing an OTP token from the user and checks if the received OTP token is identical to the one stored in the session.
I have written a test for a scenario where the user sends an invalid OTP token to the server, but I don't have access to the server session in the test, so I cannot compare the invalid token against the session value.
Is there a better way than using sessions to implement this? Is there a solution to access the server session in the test?
Thank you all.
Database
Add a column to the users table for OTP
Step 1:
generate OTP and issue to the customer
Store OTP in database
Step 2:
Server receives request from user with OTP
compare against value in database and delete from database
Pros: Simple to setup
Cons: Additional database queries and need to remember to delete it even if after issuing OTP to user request from user is never made
Cache
Step 1:
Generate and issue OTP to user
Store OTP in Cache
Cache::put("otp-{$user->id}", OTP, now()->addMinutes(5));
Step 2:
Server receives request from user with
Check against the value in cache
Pros: Simple to setup and OTP can be destroyed automatically
Cons: Cache management becomes vital area of application
I have Oracle APEX 5.1 and Oracle Forms 6i installed.
Now I am wondering how can I call Oracle APEX application from my Forms menu.
Option 1: Full URL to aplication + parameters username/password - not safe
Option 2: Full URL to aplication log in - not elegant.
What I am looking for is function that will take parameters username,password, aplication ID, ... and return full URL to aplication.
Is that possible / best approach?
You would probably do best to look at a new way of authenticating that avoids needing the password altogether, yet remains secure. One way is to call a procedure from the Forms application that generates a single-use, short-lived token specific to the user, then pass that token to APEX along with the username. The APEX authentication scheme then checks that the token is current and valid for the user, and if so allows access.
For example, the token could be generated as a random string, and stored on the user database record in hashed form (combined with the username as salt) along with a timestamp of when it was generated. The authentication scheme checks that the token passed is the same as the one on the user record and that the timestamp on the user record is within the last N seconds. It might then reset the token to NULL in the database. The key point is that it must be "impossible" (read: very hard) for anyone to guess what the token is even if they can see the hashed value in the table.
I would like to assign a scope that is equal to user's id_groups field with every token generated by Password Grant Client.
I know that I can generate custom tokens by using Personal Access Tokens, but what about Password Grant Client?
I used token created event (built in passport) to update the scope after creation. Dirty but working solution
Laravel5.4 authenticate users from api source, i.e. without database table for user/admin. I expected JSON response from Api, after success how to use the Auth class so that I can maintain the sessions and authentication just like database. Do I have to make custom auth? If so how will I initiate attempt method as it checks for database. I have made admin guard, Is there any way to accomplish this. Thank you.